*The OWASP Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.

*The OWASP Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.

−

*This code was written with security best practices in mind and has an extensive test suite but it has not yet undergone an adversarial security review. Please treat it as alpha software.

+

*This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review [https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules].

*The existing dependencies are on guava and JSR 305. The JSR 305 dependency is a compile-only dependency, only needed for annotations. The other jars are only needed by the unittests.

*The existing dependencies are on guava and JSR 305. The JSR 305 dependency is a compile-only dependency, only needed for annotations. The other jars are only needed by the unittests.

*Provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode.

*Provides 4X the speed of AntiSamy sanitization in DOM mode and 2X the speed of AntiSamy in SAX mode.

| release_1 = We are currently at Alpha right now - but will be production ready and soon.

+

| release_1 = Release_v135

−

| release_2 =

+

| release_2 = Release_v175

−

| release_3 =

+

| release_3 = Release_v209

| release_4 =

| release_4 =

<!--- The line below is for GPC usage only. Please do not edit it --->

<!--- The line below is for GPC usage only. Please do not edit it --->

Line 54:

Line 54:

}}

}}

−

==== Questions ====

+

= Info =

+

+

The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.

+

+

The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations.

+

+

This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review.

+

+

A great place to get started using the OWASP Java HTML Sanitizer is here: [https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted https://code.google.com/p/owasp-java-html-sanitizer/wiki/GettingStarted].

+

+

= Creating a HTML Policy =

+

+

You can use prepackaged policies here: [http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html http://owasp-java-html-sanitizer.googlecode.com/svn/trunk/distrib/javadoc/org/owasp/html/Sanitizers.html].

+

+

PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);

+

String safeHTML = policy.sanitize(untrustedHTML);

+

+

or the tests show how to configure your own policy here: [http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java http://code.google.com/p/owasp-java-html-sanitizer/source/browse/trunk/src/tests/org/owasp/html/HtmlPolicyBuilderTest.java]

+

+

PolicyFactory policy = new HtmlPolicyBuilder()

+

.allowElements("a")

+

.allowUrlProtocols("https")

+

.allowAttributes("href").onElements("a")

+

.requireRelNofollowOnLinks()

+

.build();

+

String safeHTML = policy.sanitize(untrustedHTML);

+

+

or you can write custom policies to do things like changing h1s to divs with a certain class:

+

+

PolicyFactory policy = new HtmlPolicyBuilder()

+

.allowElements("p")

+

.allowElements(

+

new ElementPolicy() {

+

public String apply(String elementName, List<String> attrs) {

+

attrs.add("class");

+

attrs.add("header-" + elementName);

+

return "div";

+

}

+

}, "h1", "h2", "h3", "h4", "h5", "h6"))

+

.build();

+

String safeHTML = policy.sanitize(untrustedHTML);

+

+

= Questions =

*How was this project tested?

*How was this project tested?

+

**This code was written with security best practices in mind, has an extensive test suite, and has undergone [https://code.google.com/p/owasp-java-html-sanitizer/wiki/AttackReviewGroundRules adversarial security review].

*How is this project deployed?

*How is this project deployed?

+

**This project is best deployed through Maven [https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven https://code.google.com/p/owasp-java-html-sanitizer/wiki/Maven]

The OWASP Java HTML Sanitizer Project is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS.